8.2 AIX Auditing

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This recommendation configures AIX auditing in bin mode.

Rationale:

AIX auditing provides a framework within which to capture pertinent system and security related information, such as failed login attempts, cron usage etc. It is recommended that auditing is enabled as part of a group of measures designed to provide enhanced logging of system and security changes. Further information regarding the setup and management of AIX accounting and auditing can be found in the redbook Accounting and Auditing for AIX 5L

Solution

Configure AIX auditing in-line with the High Level AIX Security Expert policy.
Create a /audit filesystem, at least 100 MB in size:

mklv -y <LV name> -t jfs2 -u 1 -c 1 rootvg 1 hdisk0
crfs -v jfs2 -d auditlv -m /audit -A yes -t no
mount /audit

Reflect the following configuration in the /etc/security/audit/config file:

vi /etc/security/audit/config

Add in:

start:
binmode = on
streammode = off
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds

Add the auditing entries for root and all other users below the pre-defined audit classes:

users:
root = general,SRC,mail,cron,tcpip,ipsec,lvm
<user 1> = general,SRC,cron,tcpip
<user 2> = general,SRC,cron,tcpip
etc.

Update the /usr/lib/security/mkuser.default auditclasses entry to ensure that auditing is set up for any newly created users:

chsec -f /usr/lib/security/mkuser.default -s user -a
auditclasses=general,SRC,cron,tcpip

A cron job is implemented to monitor the free space in /audit, running hourly, to ensure that /audit does not fill up. If /audit is greater than 90% used, /audit/trail is moved to /audit/trailOneLevelBack:

crontab -e

Add in:

0 * * * * /etc/security/aixpert/bin/cronaudit

NOTE: The implementation of a script to suit internal security policy is recommended to further enhance the log rotation process.
Add the audit startup command into /etc/inittab:

mkitab 'audit:2:boot:audit start > /dev/console 2>&1 # Start audit'

Default Value:

Auditing not enabled

See Also

https://workbench.cisecurity.org/benchmarks/13069